Jens Kalaene/DPA, via Corbis

Inside the Great Bitcoin Heist

02.18.14 10:45 AM ET

Two major bitcoin heists worth millions of dollars have struck in the cyber world beyond the reach of Google into what is known as the “deep web.”

This vast realm of cyberspace comprises some 90 percent of the internet and allows users to travel and communicate in an untraceable anonymity that even the NSA has difficulty compromising. Users are accorded freedom from big menaces such as censorship and political oppression, as well smaller ones such as privacy-invading marketers.

But there are also those who take advantage of the freedom to sell drugs, steal— or maybe both in the case of these two big heists. One of the heists may have exceeded the $6 million Lufthansa heist of Goodfellas fame in 1978, by as much as eight-fold in actual dollars, still double when adjusted for inflation.

They both, however, follow the aftermath of Operation Marco Polo, in which the FBI shut down the deep web rug bazaar Silk Road and arrested its alleged founder, Ross Ulbricht, in October. Users who then went to the site were greeted by the words:

‘THIS HIDDEN SITE HAS BEEN SEIZED”

When the FBI arrested Ulbricht in a San Francisco Public library, an agent managed to snatch his laptop from him before the could snap it shut and trigger its password protections. Ulbricht—who goes by the online alias “Dread Pirate Robert” or just “DPR”—denies all charges against him, despite allegedly having 173,991 bit coins in his “wallet.” That was added to 29,655 bitcoins the FBI seized when it shut down Silk Road. The total came to 173.991, estimated to be worth some $34.6 million at the time, but rising to over $175 million at the height of the bitcoin roller coaster.

In the aftermath of the Silk Road takedown, an online character known as MettaDPR popped up in the deep web, and seems to have perpetrated a small theft scam that preceded the big heists soon to come.

“Metta,” which is the Pali word for “goodwill”, was melded with DPR to befit the administrator of a new market place called Project Black Flag in the immediate aftermath of the Silk Road takedown.

But the moniker turned ironic just three weeks later, when the new pirate of the deep web posted an announcement that he was shutting down and taking his customers’ money with him.

“Well mates, I am saddened to say goodbye. When I created P: BF, my intent was pure and I wanted to help the community. Several days ago I begin implementing code changes to freeze funds and dump them to myself. I was unable to cope with the stress and constant demand, so I panicked. I am sorry for my actions, but with the funds I gathered from the site, I will be able to keep myself from being homeless for the next several months. I will always remember those that made this possible.”

As a departing gesture, MettaDPR said he would leave up a forum for people to curse him for taking down Black Flag itself and making off with what is estimated to be a few thousand dollars in bitcoins.

“I take no offense at truth,” he wrote. “I understand the depth of my failure.”

The more charitable commenters wondered if MettaDPR was just a bumbler who had panicked after getting in over his head. Others figured it was just a scam from the outset. One poster named Pablo offered a 50 bitcoin reward for “real info” identifying the MettaDPR.

“Friend in Mexico want to talk to Metta,” Pablo wrote.

That may well have been some online role playing, but lest you think no actual danger lurks in the deep web, consider that the charges against Ulbricht include multiple murder conspiracies.

Get The Beast In Your Inbox!

Daily DigestStart and finish your day with the top stories from The Daily Beast.

Cheat SheetA speedy, smart summary of all the news you need to know (and nothing you don't).

You are now subscribed to the Daily Digest and Cheat Sheet. We will not share your email with anyone for any reason

Those who wanted to take advantage of deep web anonymity to buy illegal drugs, as well other items such as firearms and forged drivers licenses, could still go to Sheep Marketplace, which had been founded earlier in 2013.

Then, in late November, Sheep Marketplace announced that it had been looted of all its bitcoins, including the ones customers had lodged with the site pending the completion of deals:

“We are sorry to say, but we were robbed on Saturday 11/21/2013 by vendor EBOOK101. This vendor found bug in system and stole 5400 BTC—your money, our provisions, all was stolen. We were trying to resolve this problem, but we were not successful.”

This came just as the value of a bitcoin was spiking up past $1,000, which would put the theft reported by the Sheep Marketplace administrators at more than $5.4 million. The website Blockchain, which records the movement of bitcoins, recently indicated that the 39,918 bitcoins received by Sheep Marketplace had subsequently just vanished, leaving a balance of just 0.01 bitcoins.

That would put the actual theft in excess of more than $40 million, whereas the Lufthansa heist was under $22 million n present dollars.

A website called sheepmarketplacescam.com sprang up and noted that in the days before the crime a number of vendors who were apparently close to the Sheep Marketplace administrators suddenly began offering much bigger loads of drugs at discount prices and demanding that the money be paid upfront. The suggestion was that it was not a robbery but a scam, a repeat of MettaDPR’s hustle on a huge scale.

In the meantime, a revived Silk Road, or at least a good facsimile, materialized. Users were greeted with an altered version of the notice the FBI had posted, the words “BEEN SEIZED” now replaced.

“THIS HIDDEN SITE HAS RISEN AGAIN.”

What seems to have been a new Dread Pirate Robert, DPR2, greeted users with a “welcome back to Freedom” note. The site was back in business, with a page offering a menu of illegal drugs in categories ranging from “opiods” to “cannabis” to “stimulants.”

Then, last week, a site administrator calling himself Defcon announced in a lengthy post that the new Silk Road had been hacked and cleaned out of the 4,4474 bitcoins worth $2.7 million.

“I am sweating as I write this,” Defcon’s post began.

He went on, “I must utter words all too familiar to this scarred community: We have been hacked.”

He quickly added, “Nobody is in danger, no information has been leaked, and server access was never obtained by the attacker. Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the bitcoin protocol known as ‘transaction malleability’ to repeatedly withdraw coins from our system until it was completely empty.”

In other words, the money was gone. He went on to say that “this attack hit us at the worst possible time,” just when the site had placed all available bitcoins in accessible “hot storage” to cover projected orders.

“In retrospect this was incredibly foolish, and I take full responsibility for this decision,” Defcon said. “I have failed you as a leader, and am completely devastated by today’s discoveries.”

He seemed to be either sincere or a pretty good scamster when he lamented, “It is a crushing blow. I cannot find the words to express how deeply I want this movement to be safe from the very threats I just watched materialize during my watch.”

He beseeched the thieves, “Whoever you are, you still have a chance to act in the interest of helping this community. Keep a percentage, return the rest. Don’t walk away with your fellow freedom fighters’ coins.”

As if this were Occupy Deep Web, he continued, “It takes an entire community committing to integrity—and though this crushing blow will not stop us, it sure is a testament to how greedy some bastards truly are. Being a part of this movement might be the most defining thing you do with your entire life. Don’t trade that for greed, comrades.”

One could almost forget Silk Road is a bazaar for drug dealers as Defcon said, “The only way to reverse a community’s greed is through generosity. Our true character is revealed during trying times.”

He even offered, “If this financial hardship places you at risk of physical harm, contact me directly and I will do my best to help you with my remaining personal funds.”

He then announced new security measures and financial procedures with a spirit we could have only wished the big banks had shown after the near collapse of the economy:

“We do not want to be a centralized point of failure, but we also do not want to lead our buyers into dangerous waters.”

He added, "From this point forward DO NOT trust markets with centralized escrow. Use multi-signature transactions whenever possible, with trusted third parties as escrow providers.”

The message took an ironic twist when Defcon offered reassurances that in raiding the site the crooks had not compromised user anonymity so as to leave dealers and buyers open to being identified by law enforcement. Silk Road users would otherwise face being busted as a result of being robbed.

“This was not a worst-case scenario: nobody will be getting arrested from this,” Defcon said. “Financial loss is terrible, but will not put all of us behind bars.”

In another twist, the site that pledges “anonymous market” at the upper left of its merchandise listings was posting info that could help track down the thieves.

“I’ve included transaction logs at the bottom of this message. Review the vendor’s dishonest actions and use whatever means you deem necessary to bring this person to justice,” Defcon wrote. "More details will emerge as we continue to investigate. Given the right flavor of influence from our community, we can only hope that he will decide to return the coins with integrity as opposed to hiding like a coward.”

Defcon closed by saying, “The details we have on the hacker are below. Stop at nothing to bring this person to your own definition of justice.”

The info rundown was headed “Attacker Intel as of 2014-02-13 18:00:00 UTC” and was preceded with the message, “We normally do not doxx anyone, and hold user information sacred…”

Doxx meaning to reveal someone’s actual identify.

“…But this is an extreme situation affecting our entire community, and all three users who have exploited this vulnerability are very much at risk until they approach us directly to assist with any information.”

The main attacker, “responsible for 95% of theft,” was “suspected French” and supposedly used six vendor accounts “to order from each other, to find and exploit the vulnerability aggressively.” The usernames were narco93,ketama, riccola, germancoke, napolicoke, and smokinglife.

“Finding Attacker 1 is top priority,” the posting advised.

The other two attackers were together responsible for only about 5 percent of the thefts, though both seem to know the major suspected thief.

Among some of the more suspicious denizens of the deep web are mutterings that maybe the revival of Silk Road is just one big scam; that Defcon is just a con.

Meanwhile, the U.S. government finds itself with 173,000 bitcoins, or by one reckoning 1.5 percent of all bitcoins.

In one ultimate twist to the tale, access to the deep web was developed via the U.S. Navy Research Laboratory, and conceived as an “onion router,” meaning a system that adds successive layers of encryption to an online identity as it randomly caroms around a volunteer network of relays. The result was The Onion Router, or TOR, which then became Tor.

As it so happens, the Tor Project is subsidized by the U.S. government, Sweden and private donations. The software is available to everyone for free—not so much as a bitcoin.